Two plaintiffs have filed a class-action lawsuit against The Walt Disney Company for wrongfully exfiltrating children’s personally identifying information.

Amanda Rushing and her child “L.L.” submitted their claims to the San Francisco/Oakland Division of the U.S. District Court for the Northern District of California on 3 August. In so doing, they brought action on themselves and all others who feel Disney did not abide by existing data protection laws when designing some of its mobile apps. Their complaint seeks to try Disney and its partners by jury for their alleged violations.

The class-action lawsuit reaches back to 14 January 2014 when Ms. Rushing installed one of Disney’s apps called “Disney Princess Palace Pets” onto L.L.‘s device. L.L. thereafter played the game on an ongoing basis. Unbeknownst to them or their mother, L.L. inadvertently handed over their personal information to Disney while they played the game.

As it turns out, Disney had consulted with three partners to insert advertising-specific software development kits (SDKs) into Disney Princess Palace Pets and some of its other applications. These SDKs gather pieces of data and help advertisers detect a user’s activity via persistent identifiers. SDK providers can subsequently use these persistent identifiers to track someone across multiple devices and apps with the intention of serving targeted ads.

SDKs are not illegal on their own. But app developers can leverage them in ways that violate data protection laws.

Take Disney. As its apps target mainly children aged 13 years and under, the entertainment conglomerate is supposed to follow the Children’s Online Privacy Protection Rule (COPPA), which among other things requires developers to obtain parents’ permission before they collect children’s personally identifying information. Well, Disney allegedly never requested Ms. Rushing’s permission at the time of installation, following installation, or on the home page of the Disney Palace Princess Pets app. Hence Ms. Rushing and L.L.‘s claims that the company committed “highly offensive” intrusions into their privacy.

“The ability to serve behavioral advertisements to a specific user no longer turns upon obtaining the kinds of data with which most consumers are familiar (email addresses, etc), but instead on the surreptitious collection of persistent identifiers, which are used in conjunction with other data points to build robust online profiles. Permitting technology companies to obtain persistent identifiers associated with children exposes them to the behavioral advertising (as well as other privacy violations) that COPPA was designed to prevent.”

Ms. Rushing and L.L. want Disney and its partners to stop wrongfully collecting children’s information and to award appropriate relief to everyone affected.

In 2011, the company paid $3 million to settle a complaint that Playdom, Disney’s online game developer which suffered a breach in August 2016, illegally collected and disclosed children’s information. Three years later, the Center for Digital Democracy filed a complaint alleging similar violations against the conglomerate’s Marvelkids.com.

Given this track record, parents and their children might want to think carefully about downloading one of Disney’s apps. Maybe just put on one of the princess movies instead…

For further discussion on this issue with Disney apps, make sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #037: ‘Boobs, dragons and data breaches’
Your browser does not support this audio element.